properly handle escaping of children

bottledcode · Oct 29, 2023 · 2f49185 · 2f49185
1 parent ec3b0c0
commit 2f49185
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 7 deletions.
diff --git a/.idea/php.xml b/.idea/php.xml
diff --git a/src/Template/Parser/StreamingCompiler.php b/src/Template/Parser/StreamingCompiler.php
@@ -112,6 +112,9 @@ private function renderCharacterReference($document): Document
 
 	private function escapeData(int $selectionStart, Document $document): Closure
 	{
+		if($this->blockAttributes) {
+			return static fn(Closure $x) => $x($document);
+		}
 		$end = $document->mark() - 1;
 		$originalData = substr($document->code, $selectionStart, $end - $selectionStart);
 		$data = $this->blobber->replaceBlobs($originalData, $this->escaper->escapeHtml(...));
@@ -429,12 +432,18 @@ private function renderOpenTagName(Document $document): Document
 			case 'title':
 			case 'textarea':
 				$this->mustMatch = $tag;
+				if($this->blockAttributes) {
+					return $this->renderRCData($document);
+				}
 				$now = $document->mark();
 				return $this->renderRCData($document)
 					->snip($now, $this->lastTagCloseOpen, $output)
 					->insert($this->blobber->replaceBlobs($output, $this->escaper->escapeHtml(...)), $now);
 			case 'style':
 				$this->mustMatch = $tag;
+				if($this->blockAttributes) {
+					return $this->renderRawText($document);
+				}
 				$now = $document->mark();
 				return $this
 					->renderRawText($document)
@@ -447,12 +456,18 @@ private function renderOpenTagName(Document $document): Document
 			case 'plaintext':
 			case 'noframes':
 				$this->mustMatch = $tag;
+				if($this->blockAttributes) {
+					return $this->renderRawText($document);
+				}
 				$now = $document->mark();
 				return $this->renderRawText($document)
 					->snip($now, $this->lastTagCloseOpen, $output)
 					->insert($this->blobber->replaceBlobs($output, $this->escaper->escapeHtml(...)), $now);
 			case 'script':
 				$this->mustMatch = $tag;
+				if($this->blockAttributes) {
+					return $this->renderScriptData($document);
+				}
 				$now = $document->mark();
 				return $this
 					->renderScriptData($document)
@@ -1180,13 +1195,15 @@ private function renderAfterAttributeValueQuoted(Document $document): Document
 
 	private function processAttributes(Document $document): Document
 	{
-		$value = $this->blobber->replaceBlobs(
-			$this->attributeValue,
-			$this->escaper->escapeHtmlAttr(...)
-		);
+		if($this->blockAttributes) {
+			return $document;
+		}
+
+		$originalValue = $this->blobber->replaceBlobs($this->attributeValue, fn($_) => $_);
+		$value = $this->escaper->escapeHtmlAttr($originalValue);
 		// escaper doesn't escape single quotes, so we do that here.
 		$value = str_replace("'", '&#39;', $value);
-		$this->setAttribute($this->attributeName, $value);
+		$this->setAttribute($this->attributeName, $originalValue);
 		if ($value !== $this->attributeValue) {
 			// we need to update the rendered html too...
 			$here = $document->mark();

diff --git a/tests/StreamingTest.php b/tests/StreamingTest.php
@@ -213,3 +213,78 @@ public function render(): string
 			)->getHeader('Set-Cookie')[0]
 		)->toStartWith('csrf_token=');
 });
+
+test('data providers do not escape their children', function () {
+	$container = containerWithComponents([
+		'provider' => new class implements \Bottledcode\SwytchFramework\Template\Functional\DataProvider {
+
+			public function provideAttributes(): array
+			{
+				return ['test' => 'test'];
+			}
+
+			public function provideValues(string $value): mixed
+			{
+				return $value;
+			}
+
+			public function render(string $test = ''): string
+			{
+				if ($test) {
+					return 'oh no';
+				}
+				return '<children></children>';
+			}
+		},
+		'echo' => new class {
+			public function render(string $test = ''): string
+			{
+				return $test;
+			}
+		},
+		'empty' => new class {
+			public function render()
+			{
+				return '';
+			}
+		}
+	]);
+	$streamer = $container->get(StreamingCompiler::class);
+	$document = <<<HTML
+<provider><empty /></provider>
+<provider>
+<echo test="overridden" />
+</provider>
+<echo test="not overridden" />
+HTML;
+
+	$result = $streamer->compile($document);
+	expect($result)->toMatchHtmlSnapshot();
+});
+
+it('passes variables correctly', function () {
+	$container = containerWithComponents([
+		'echo' => new class {
+			public function render(string $test = ''): string
+			{
+				return $test;
+			}
+		},
+		'child' => new class {
+			public function render(string $test = ''): string
+			{
+				return "<div>{{$test}}<children/></div>";
+			}
+		}
+	]);
+
+	$streamer = $container->get(StreamingCompiler::class);
+	$document = <<<HTML
+<echo test="{some text}" />
+<child test="{outer text}">
+<echo test="{inner text}" />
+</child>
+HTML;
+	$result = $streamer->compile($document);
+	expect($result)->toMatchHtmlSnapshot();
+});
diff --git a/tests/__snapshots__/StreamingTest__data_providers_do_not_escape_their_children__1.html b/tests/__snapshots__/StreamingTest__data_providers_do_not_escape_their_children__1.html
@@ -0,0 +1,5 @@
+<html><body><p>test
+
+not overridden
+
+</p></body></html>
diff --git a/tests/__snapshots__/StreamingTest__it_passes_variables_correctly__1.html b/tests/__snapshots__/StreamingTest__it_passes_variables_correctly__1.html
@@ -0,0 +1,8 @@
+<html><body>
+<p>some text
+</p>
+<div>outer text
+inner text
+</div>
+
+</body></html>